At the CSO Perspectives conference, security execs outlined their process for hiring, promoting, and training employees to maintain a desired level of corporate protection

By Matt Hines

InfoWorld|Mar 17, 2008

Good help is hard to find, and in the world of IT security, there's little question that finding the right people to defend your operations and corporate reputation is a cornerstone to achieving success.

Getting the necessary mix of security professionals together and finding the right way to keep them onboard and focused on your organizations' top priorities is no easy task, experts said, and demands year-round attention.

Speaking at the ongoing CSO Perspectives conference in Atlanta, leading security executives outlined their process for hiring, promoting, and training employees to maintain a desired level of corporate protection.

To find the type of people that you really want on your security workforce, one of the first things to remember is that a pile of certifications isn't necessarily as important as finding employees who will best fit in with your organizational culture, said Lynda Fleury, chief information security officer at Unum, a provider of corporate benefits programs.

"To me, attitude has more weight than skill. You can train people on security, network administration, and monitoring; expertise and knowledge is important, but a winning attitude and the ability to gel with staff and your corporate culture are key," Fleury said. "You want people who speak about 'we', not 'I', because in my experience there is never a single hero in IT security. If something is wrong, there is more than one person to blame, and no one individual is responsible for the team's success."

In addition to making sure that candidates are truthful in representing their skills by putting potential new hires through batteries of mock tests and running all the necessary background checks, once you've decided to bring someone onboard, it's also vital to first introduce them to line of business workers with whom they might interact.

One of Fleury's larger keys to success is aligning her team with overarching business objectives and getting people involved in company efforts that will impact IT security as early as possible, she said.

By introducing security job candidates to the business executives they will support in their respective roles, its easier to identify potential conflicts and ensure that you're getting the right person to step into the position, Fleury said.

Once hired, it's vital to continue to provide opportunities for workers to increase their value and advance their careers by making sure that they have access to additional training and graduate programs, said the Unum executive, who currently manages a staff of 28 security pros.

It's also important to retain a firm understanding of people's individual training and capabilities as part of a well-defined program that helps measure their performance, and to accrue data to for use in defending promotions, she said.

As part of its security recruiting and retention programs, Unum also uses a professional services firm, PriceWaterhouseCoopers, to make sure that it remains well positioned.

"We continue to look at measurement, it's always a challenge and we constantly ask PWC if we have the right people and if we're doing the right things. It's key to have that external view to help understand our strengths and weaknesses," said Fleury.

"And you want to have very well-defined job skills, we use skills competency grids and look for certain sets of [factors] to consider promotions," she said. "As part of our corporate process, we also have to submit proposals to an IT leadership team to ensure that promotions are worthy."

Employee background checks are an area where some IT security leaders admit that they've been forced to rethink their approach based on the globalization of their workforce and the potential for insider attacks.

Doing a rudimentary background check doesn't cut it when you're recruiting people all over the world or candidates who come from or have worked in foreign nations, said Richard Dorough, CISO at manufacturing giant Textron.

"When it comes to background checks, we've had to review our entire hiring process. We've retrenched because we had some inconsistencies in the past," Dorough said.

"We discovered that we were failing at handoffs between different elements of our business, so we changed the process to address that and prevent people from falling through the cracks," he said. "We had also traditionally done only local felony checks, but not national; for people that have sensitive levels of access, you really need to do national checks, or even multinational when you can get them."

Another fundamental tenet of sound IT security management is making sure that workers, both security-specific professionals and generalists, understand why an organization is making the decisions it has made -- and communicating that message to everyone affected, speakers said.

"It's always important to explain your work in the context of business problems," said Dave Morrow, chief security and privacy officer at consulting giant EDS. "Often times we in security are our own worst enemies for not thinking of interesting ways to communicate with business leaders; if you can frame the discussion not as security, but as a business improvement, you'll get a lot more acceptance."